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Abstract 

Software testing is one of the most popnlar validation techniques in the software industry. 
Surprisingly, we can only find a few approaches to testing in the context of logic program¬ 
ming. In this paper, we introduce a systematic approach for dynamic testing that combines 
both concrete and symbolic execution. Our approach is fully automatic and guarantees 
full path coverage when it terminates. We prove some basic properties of our technique 
and illustrate its practical usefulness through a prototype implementation. 

To appear in Theory and Practice of Logic Programming (TPLP), Proc. of ICLP 2015. 
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1 Introduction 

Essentially, software validation aims at ensuring that the developed software com¬ 
plies with the original requirements. One of the most popular validation approaches 
is software testing, a process that involves producing a test suite and then execut¬ 
ing the system with these test cases. The main drawback of this approach is that 
designing a test suite with a high code coverage —i.e., covering as many execution 
paths as possible— is a complex and time-consuming task. As an alternative, one 
can use a tool for the random generation of test cases, but then we are often faced 
with a poor code coverage. Some hybrid approaches exist where random generation 
is driven by the user, as in QuickCheck ( |Claessen and Hughes 2000| ), but then again 
the process may become complex and time-consuming. 

Another popular, fully automatic approach to test case generation is based on 
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lenciana under grant PROMETEOII/2015/013. Part of this research was done while the third 
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symbolic execution ( |King 1976[ IClarke 1976^ . Basically, symbolic execution consid¬ 
ers unknown (symbolic) values for the input parameters and, then, explores all 
feasible execution paths in a non-deterministic way. Symbolic states include now a 
path condition that stores the current constraints on symbolic values, i.e., the con¬ 
ditions that must hold to reach a particular execution point. For each final state, a 
test case is produced by solving the constraints in the associated path condition. 

A drawback of the previous approach, though, is that the constraints in the path 
condition may become very complex. When these constraints are not solvable, the 
only sound way to proceed is to stop the execution path, often giving rise to a poor 
coverage. Recently, a new variant called concolic execution (jCodefroid et al. 20051 
ISen et al. 2005[l that combines both concrete and symbolic execution has been pro¬ 
posed as a basis for both model checking and test case generation. The main advan¬ 
tage is that, now, when the constraints in the symbolic execution become too com¬ 
plex, one can still take some values from the concrete execution to simplify them. 
This is sound and often allows one to explore a larger execution space. Some success¬ 
ful tools that are based on concolic execution are, e.g., SAGE (jGodefroid et al. 2012|1 
and Java Pathfinder dPasareanu and Rungta 20T0| ). 

In the context of the logic programming paradigm, one can find a flurry of static, 
complete techniques for software analysis and verification. However, only a few dy¬ 
namic techniques for program validation have been proposed. Dynamic, typically 
incomplete, techniques have proven very useful for software validation in other 
paradigms. In general, these techniques are sound so that they avoid false positives. 
This contrasts with typical static verification methods which may produce some 
false positives due to the abstraction techniques introduced to ensure complete¬ 
ness. Therefore, we expect concolic execution to complement existing analysis and 
verification techniques for logic programs. 

In this paper, we introduce a new, fully automatic scheme for concolic testing 
in logic programming. As in other paradigms, concolic testing may help the pro¬ 
grammer to systematically find program bugs and generate test cases with a good 
code coverage. As it is common, our approach is always sound but usually incom¬ 
plete. In the context of logic programming, we consider that “full path coverage” 
involves calling each predicate in all possible ways. Consider, e.g., the logic pro¬ 
gram P = {p(a)., p{b).}. Here, one could assume that the execution of the goals 
in {p(a),p{b)} is enough for achieving a full path coverage. However, in this paper 
we consider that full path coverage requires, e.g., the set {p{X),p{a),p{b),p{c)} so 
that we have a goal that matches both clauses, one that only matches the first 
clause, one that only matches the second clause, and one that matches no clause. 
We call this notion choice coverage, and it is specific of logic programming. To the 
best of our knowledge, such a notion of coverage has not been considered before. 
Typically, only a form of statement coverage has been considered, where only the 
clauses used in the considered executions are taken into account. For guaranteeing 
choice coverage, a new type of unification problems must be solved: we have to 
produce goals in which the selected atom A matches the heads of some clauses, say 
Pfi,, Pin, but does not match the heads of some other clauses, say H[,..., 11!^. 
We provide a constructive algorithm for solving such unifiability problems. 
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A prototype implementation of the concolic testing scheme for pure Prolog, called 
contest, is publicly available from http://kaz.dsic.upv.es/contest.html. The 
results from an experimental evaluation point out the usefulness of the approach. 
Besides logic programming and Prolog, our technique might also be useful for other 
programming languages since there exist several transformational approaches that 
“compile in” programs to Prolog, like, e.g., (IGomez-Zamalloa et al. 2010p . 

Omitted proofs as well as some extensions can be found in the online appendix. 


2 Concrete Semantics 


The semantics of a logic program is usually given in terms of the SLD relation on 


goals dLloyd 1987 

L In this section, we present instead a local semantics which is 

similar to that of 

Strdder et al. (2011). Basically, this semantics deals with states 


that contain all the necessary information to perform the next step (in contrast 
to the usual semantics, where the SLD tree built so far is also needed, e.g., for 


dealing with the cut). In contrast to (|Stroder et al. 20TT]l . for simplicity, in this 
paper we only consider definite logic programs. However, the main difference w.r.t. 
(|Stroder et al. 20TT|) comes from the fact that our concrete semantics only considers 
the computation of the first solution for the initial goal. This is the way most Prolog 
applications are used and, thus, our semantics should consider this behaviour in 
order to measure the coverage in a realistic way. 

Before presenting the transition rules of the concrete semantics, let us introduce 
some auxiliary notions and notations. We refer the reader to ( |Apt 1997| ) for the 
standard definitions and notations for logic programs. The semantics is defined by 
means of a transition system on states of the form |... | ), where Bg^ |... | Bg^ 

is a sequence of goals labeled with substitutions (the answer computed so far, when 
restricted to the variables of the initial goal). We denote sequences with S,S',.. 
where e denotes the empty sequence. In some cases, we label a goal B both with a 
substitution and a program clause, e.g., Bf^^, which is used to determine the next 
clause to be used for an SLD resolution step (see rules choice and unfold in Fig. [T]). 
Note that the clauses of the program are not included in the state but considered 
a global parameter since they are static. In the following, given an atom A and 
a logic program P, clauses(A,P) returns the sequence of renamed apart program 
clauses ci,..., c„ from P whose head unifies with A. A syntactic object si is more 
general than a syntactic object S 2 , denoted si ^ S 2 , if there exists a substitution 
9 such that Si9 = S 2 - Var[o) denotes the set of variables of the syntactic object o. 
For a substitution 9, Var(9) is defined as Dom{9) U Ran{9). 

For simplicity, w.l.o.g., we only consider atomic initial goals. Therefore, given 
an atom A, an initial state has the form {Aid), where id denotes the identity 
substitution. The transition rules, shown in Figure [U proceed as follows: 

• In rules success and failure, we use fresh constants to denote a final state: 
(success^) denotes that a sucessful derivation ended with computed answer 
substitution S, while (fail^) denotes a finitely failing derivation; recording S 
for failing computations might be useful for debugging purposes. 
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ss) 
(failure) 

(choice) 

(unfold) 


(trues IS") —>■ (succESSs) 

((fail,B)s) ->■ (fails) 

clauses(j4, V) = (ci,..., Cn) A n > 0 

_mgu(A, J/i) = a _ 

((A, B)f S) ^ ((Bia, Sa)s. I S) 


(backtrack) 
(choicejail) ■ 


S^e 


((fail,B)s|5) ^ {S) 

clauses(j4, V) — {} 
((AB)s|5)^ ((fail,B)s|5) 


Fig. 1. Concrete semantics 

• Rule backtrack applies when the first goal in the sequence finitely fails, but 
there is at least one alternative choice. 

• Rule choice represents the first stage of an SLD resolution step. If there is at 
least one clause whose head unifies with the leftmost atom, this rule introduces 
as many copies of a goal as clauses returned by function clauses. If there is 
at least one matching clause, unfolding is then performed by rule unfold. 
Otherwise, if there is no matching clause, rule choice_fail returns fail so that 
either rule failure or backtrack applies next. 

Example 1 

Consider the following logic program: 

p(s(a)). q{a). r{a). 

p{s{X)) <-q{X). q{b). r{c). 

p{f(X))^r{X). 

Given the initial goal p{f{X)), we have the following successful computation (for 
clarity, we label each step with the applied rule): 

(p(/(x)),d) (riX^d) 

^choice {r{X)l!f'>\r{X)l!f'>) (true{x/a}|r(X):f) 

^success (sucCESS{jf/a}) 

Therefore, we have a successful computation for p{f{X)) with computed answer 
{X/a}. Observe that only the first answer is considered. 

We do not formally prove the correctness of the concrete semantics, but it is an 
easy consequence of the correctness of the semantics in (|Stroder et al. 20TT]) . Note 
that our rules can be seen as an instance for pure Prolog without negation, where 
only the computation of the first answer for the initial goal is considered. 

3 Concolic Execution Semantics 

In this section, we introduce a concolic execution semantics for logic programs that 
is a conservative extension of the concrete semantics of the previous section. In this 
semantics, concolic states have the form {S ][ S'), where S and S' are sequences of 
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(success) 

(failure) 

(backtrack) 

(choice) 

(choice_fail) 


(truej I S I truee | S') ~>o (success^ | succESSe) 


((fail, 6)5 ][ (fail,B')e) (fail^ | fails) 

S ^ t 

((fail, B)s 15- ][ (fail, B')e \ S') {S ][ S') 

clauses(A, P) = c^An>0A clauses(j4', V) = dk 
{{A, B)s 15 I (Al', B')e I S') ((Al, B)=i I ... I (Al, B)^" 15 

I (AI',B')sM-.-I(^'.B')s"|5') 

clauses(A, P) = {} A clauses(j4', V) = c^ 

{{A, B)s I 5 I {A', B')e \ S') -c(o,^(^)) ((fail, I 5 ][ (fail, B')e \ S') 


(unfold) 


mgu(j4, H\) = (T A mgu(A', H\) — a' 

{{A, B)f I S I {A', I S') ((Bia, Ba)s. \ S ][ (Bia', B'a')e.> \ S') 


Fig. 2. Concolic execution semantics 

(possibly labeled) concrete and symbolic goals, respectively. In logic programming, 
the notion of symbolic execution is very natural: the structure of both S and S' is 
the same, and the only difference is that some atoms might be less instantiated in 
S' than in S. 

In the following, we let denote the sequence of syntactic objects oi,... ,o„. 
Given an atom A, we let root{A) = p/n if A = p{tn)- Now, given an atom A with 
root{A) = p/n, an initial concolic state has the form {Aid \ p{^n)id)i where Xn 
are different fresh variables. In the following, we assume that every clause c has a 
corresponding unique label, which we denote by £(c). By abuse of notation, we also 
denote by the set of labels {^(ci),..., £{cn)}- 

The semantics is given by the rules of the labeled transition relation shown in 
Figure [ 2 ] Here, we consider two kinds of labels for the transition relation: 

• The empty label, o, which is often implicit. 

• A label of the form c{£{c^), £{dk)), which represents a choice step. Here, £{c^) 
are the labels of the clauses matching the selected atom in the concrete goal, 
while i{dk) are the labels of the clauses matching the selected atom in the 
corresponding symbolic goal. Note that £{c^) C £{dk) since the concrete goal 
is always an instance of the symbolic goal (see Theorem [T] below). 

For each transition step Ci "-^c{Ci,C 2 ) ^ 2 , the first set of labels, £ 1 , is used to 
determine the execution trace of a concrete goal (see below). Traces are needed to 
keep track of the execution paths already explored. The second set of labels, £ 2 , is 
used to compute new goals that follow alternative paths not yet explored, if any. 

In the concolic execution semantics, we perform both concrete and symbolic ex¬ 
ecution steps in parallel. However, the symbolic execution does not explore all pos¬ 
sible execution paths but only mimics the steps of the concrete execution; observe, 
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e.g., rule choice in Figured where the clauses labeling the copies of the symbolic 
goal are the same clauses matching the concrete goal, rather than the set of 
clauses dk (a superset of c^). 

Example 2 

Consider again the logic program of Example [U now with clause labels: 

(£i) p{s{a)). (4) q{a). (4) r{a). 

{£ 2 )p{s{X))^q{X). (4)g(&). (^ 7 )r(c). 

{i 3 )p{f{X))^riX). 

Given the initial goal p{f{X)), we have the following concolic execution: 

{p{f{X)U ][p{NU 

-C(2“c') HXY^:^\r{Xr^;^ I’^(^)w/(V)}I"(^)W/(V)}) 

^unfold {tru&{x/a}\r{XY^Y'^ I true^N/fia)}\r{YY^^Y]f{Y)}) 

^success (suCCESS{x/a} ][ SUCCESS{iV//(a)}) 
where Ci = {4}, £[ = {€i,4,4}, and £2 = A = {4,41- 

In this paper, we only consider finite concolic executions for initial goals. This is 
a reasonable assumption since one can expect concrete goals to compute the first 
answer finitely (unless the program is erroneous). We associate a trace to each 
concolic execution as follows: 

Definition 1 {trace) 

Let P be a program and Co an initial concolic state. Let E = (Cq Cm), 

m > 0, be a concolic execution for Cq in P. Let c{Ci,C'i), ■ ■ ■ ,c{Ck, £'k), k ^ rn, 
be the sequence of labels in li,... ,lm which are different from o. Then, the trace 
associated to the concolic execution E is trace{E) = £ 1 ,..., £fc. 

Roughly speaking, a trace is just a sequence with the sets of labels of the match¬ 
ing clauses in each choice step. For instance, the trace associated to the concolic 
execution of Example [2] is ({4}, {4, f’r}), be., we have two unfolding steps with 
matching clauses {4} and {£^,£ 7 }, respectively. Note that traces ending with { } 
represent failing derivations. 

The following result states an essential invariant for concolic execution: 

Theorem 1 

Let P be a program and Cq = {p{tn)id \p{Xn)id) be an initial concolic state. Let 
Cq ... '^ Cm, m ^ 0, be a finite (possibly incomplete) concolic execution for Cq 
in P. Then, for all concolic states Ci = {Bg \S ][Vg | S"), i = 0, ..., m, the following 
invariant holds: IS”! = \S'\, V ^ B, c = c' (if any), and p(X„)d < p{tn)S. 


4 Concolic Testing 

In this section, we introduce a concolic testing procedure for logic programs based 
on the concolic execution semantics of the previous section. 
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4 ■ 1 The Procedure 

As we have seen in Section [3l the concolic execution steps labeled with c(£i,£ 2 ) 
give us a hint of (potential) alternative execution paths. Consider, for instance, the 
concolic execution of Example [2] The first step is labeled with €({£ 3 }, {£i, ^ 2 , ^a})- 
This means that the selected atom in the concrete goal only matched clause £ 3 , while 
the selected atom in the symbolic goal matched clauses £ 1 , £2 and £ 3 . In principle, 
there are as many alternative execution paths as elements in iP({£i, £ 2 ,£ 3 }) \ {£ 3 }; 
e.g., { } denotes an execution path where the selected atom matches no clause, {£ 1 } 
another path in which the selected atom only matches clause £ 1 , {£ 1 , £ 2 , £ 3 } another 
path where the selected atom matches all three clauses £ 1 , £2 and £ 3 , and so forth. 

When aiming at full choice coverage, we need to solve both unification and disuni- 
fication problems. Consider, e.g., that A is the selected atom in a goal, and that we 
want it to unify with the head of clause £1 but not with the heads of clauses £2 and 
£ 3 . For this purpose, we introduce the following auxiliary function alt, which also in¬ 
cludes some groundness requirements (see below). In the following, we let Ri denote 
the unifiability relation, i.e., given atoms A, B, A Ki B holds if mgu(A, B) ^ fail; 
correspondingly, -^{A « B) holds if mg\i{A,B) = fail. 

Definition 2 (alt) 

Let A be an atom and £, £' be sets of clause labels. Let V be a set of variables. 
The function alt(A, £, £', V) returns a substitution 9 such that the following holds: 

A9 Ki Hi f\... /\ A9 Ki Hn A -^{A9 k. Hn+i) A ... A -^{A9 « Hm) A V9 are ground 

where Hi,... ,iJ„ are the heads of the (renamed apart) clauses labeled by £ and 
Hn+i,... ,Hm are the heads of the (renamed apart) clauses labeled by £'\£, re¬ 
spectively. If such a substitution does not exist, then function alt returns fail. 

When the considered signature is finite0 the following semi-algorithm is trivially 
sound and complete for solving the above unifiability problem: first, bind A with 
terms of depth 00 If the condition above does not hold, then we try with terms 
of depth I, and check it again. We keep increasing the considered term depth 
until a solution is found. If a solution exists, this naive semi-algorithm will find it 
(otherwise, it may run forever). In practice, however, it may be very inefficient. 

Observe that, in general, there might be several most general solutions to the 
above problem. Consider, e.g., A = p{X, Y), TLpos = {p{Z, Z),p(a, &)} and TLneg = 
{p(c, c)}. Then, bothp(a, U) andp(C/, h) are most general solutions. In principle, any 
of them is equally good in our context. We postpone to the next section the intro¬ 
duction of a constructive algorithm for function alt. Here, we present an algorithm 
to systematically produce concrete initial goals so that all feasible choices in the 
execution paths are covered (unless the process runs forever). First, we introduce 
the following auxiliary definitions: 


^ Full Prolog and infinite signatures like integers or real numbers are left as future work. 

^ The depth depth (t) of a term t is defined as usual: depth (t) = 0 if t is a variable or a constant 
symbol, and depth{f{ti,... ,t„)) = 1-1- max(depth(ti),..., depth(tn)), otherwise. 


F. Mesnard and E. Payet and G. Vidal 


Definition 3 (cone, symb) 

Let C = I... I I I... I be a concolic state. Then, we let conc(C) = 
denote the first concrete goal and symb(C) = Vg^ the first symbolic goal. 

Definition f (alt_trace) 

Let P be a program, Co an initial concolic state, and E = (Cq 

'^c{C,C') Cn+i) be a (possibly incomplete) concolic execution for Cq in P. Then, 
the function alt.trace denotes the following set of (potentially) alternative traces: 

alt_trace(£’) = {Ci,..., Ck, C" \ trace{Co'^i^ ■ • ■ C„) =Ci,...,Ck 

and C" e (P(£') \ £) } 

For instance, given the following (partial) concolic execution E from Example [2] 
(p(/(X)),, Ip(iV),,) 

{riXU][r{Y)^^^f^y)y) 

where £i = {4}, £'i = {^ 1 ,^ 2 ,4}, £2 = A = {4,^7}, we have traee{E) = £i,£ 2 , 
P(A) \ £2 = {{ }, m, {ir}}, and alt_trace(i:;) = {(£ 1 , { }), (£ 1 , {4}), (£ 1 , {^ 7 })}. 

Now, we introduce our concolic testing procedure. It takes as input a program 
and a random —e.g., provided by the user— initial atomic goal rooted by the 
distinguished predicate main/n. In the following, we assume that each concrete 
initial goal mainifn) is existentially terminating w.r.t. Prolog’s leftmost computa¬ 
tion rule, i.e., either computes the first answer in a finite number of steps or finitely 
fails (|Vasak and Potter 19861) . For this purpose, we assume that main/n has some 
associated input arguments, determined by a function input, so that an initial goal 
mainifn) existentially terminates if the terms input(mam(t„)) are ground. One 
could also consider that there are several combinations of input arguments that 
guarantee existential termination —this is similar to the modes of a predicate— 
but we only consider one set of input arguments for simplicity (extending the con¬ 
colic testing algorithm would be straightforward). As mentioned before, assuming 
that concrete initial goals are existentially terminating is a reasonable assumption 
in practice. 

Definition 5 {concolic testing) 

Input: a logic program P and an atom main{tn) with input(mam(t„)) ground. 
Output: a set TC of test cases. 

1. Let Pending := {main{tn)}, TC := {}, Traces := {}. 

2. While \Pending] 0 do 

(a) Take A € Pending, Pending := Pending\{A\, TC := TC U {A}. 

(b) Let Co = {Aid ][ niain{Xn)id) and compute a successful or finitely 

failing derivation E = (Cq Cm)- 

(c) Let Traces := Traces U {trace{E)}. 

(d) We update Pending as follows: 

• for each prefix Cq Cj '^c{C,C') Cj+i of E and 
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• for each (possibly partial) trace Ck,Ck+i G alt_trace(Co 

... Cj '^c{c,c') Cj+i) which is not the prefix of any trace 
in Traces, 

• add main{Xn)09' to Pending if alt(yli, £fc+i, G) = 9' ^ fail 
where G = Var(input(ma*n(X„)d)) and symb(Cj) = (Ai,S)elf| 

3. Return the set TC of test cases 

The soundness of concolic testing is immediate, since each atom from TC is indeed 
a test case of the form mam(sT) with \nput{main{'s^)) ground. Completeness and 
termination are more subtle properties though. 

In principle, one could argue that the concolic testing algorithm is a complete 
semi-algorithm in the sense that, if it terminates, the generated test cases cover all 
feasible paths. Our assumptions trivially guarantee that every considered concrete 
execution is finite (i.e., step ( 2 b) in the loop of the concolic testing algorithm). 
Unfortunately, the algorithm will often run forever by producing infinitely many 
test cases. Consider, e.g., the following simple program: 

(£i) nat(0). {£ 2 ) nat{s{X)) ^ nat{X). 

Even if every goal natit) with t ground is terminating, our algorithm will still 
produce infinitely many test cases, e.g., nat(O), nat(s(0)), nat(s(s(0))), ..., since 
each goal will explore a different path (i.e., will produce a different execution trace: 
({•^ 1 })) ({^ 2 }, {-^i}), ({^ 2 }, {-^ 2 }, {^ 1 }), etc). In practice, though, the quality of the 
generated test cases should be experimentally evaluated using a coverage tool. 

Therefore, in general, we will sacrifice completeness in order to guarantee the 
termination of concolic testing. For this purpose, one can use a time limit, a bound 
for the length of concolic executions, or a maximum term depth for the arguments 
of the generated test cases. In this paper, we consider the last approach. Then, 
one can replace the use of a particular function alt in step (2d) of Definition [5] by 
a function altfc with altk(A, , G) = alt(A, £, £', G) = 9 if depth{t) ^ k for all 
X/t S 9, and altfe(A, £, £', G) = fail otherwise. This is the solution we implemented 
in the concolic testing tool described in Section lT3l 

For instance, by requiring a maximum term depth of 1, the generated test cases 
for the program nat above would be nat{0), nat{l), nat{s{0)) and nat{s{l)), where 
1 is a fresh constant symbol, with associated traces ({^ 1 }), ({ }), ({^ 2 }, {-^i}), and 
({^ 2 }, { }), respectively. 

Termination of the algorithm in Definition [5] is then guaranteed since only a finite 
number of new atoms can be added in step ( 2 d) —up to variable renaming— and, 
moreover, only those (possibly partial) traces which are not a prefix of any trace 
already in the set Traces are considered. Observe that these facts suffice to ensure 
termination of the algorithm since one cannot have infinitely many traces with a 
finite number of atoms. 


® I.e., Ai is the first atom of the symbolic goal symb(Cj) of the concolic state Cj, see Definition[3] 
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4-2 Solving Unifiability Problems 

In this section, we present a constructive algorithm for function alt. Let us first 
reformulate our unification problem in slightly more general terms than in Defini¬ 
tion O Let A be an atom and Hpos , Tdneg be two sets of atoms the elements of 
which are variable disjoint with A and unify with A, and a set of variables G. The 
problem consists in finding a substitution cr such that 

ViL”*" G 'Hpos- Aa « A ViL“ G 'Hneg- -'{Aa w H~), and Ga is ground (*) 

We introduce a stepwise method that, roughly speaking, proceeds as follows: 

• First, we produce some “maximal” substitutions 0 (called maximal unifying 
substitution below) for A such that A9 still unifies with the atoms in T-Lpos- 
Here, we use a special set U of fresh variables with Var{{A} U T-Lpos U T-Lneg) H 
U = {}. The elements of U are denoted by [/, U', Ui... Then, in 9, the 
variables from U (if any) denote positions where further binding will prevent 
A0 from unifying with some atom in 'Hpos- In contrast, A9a' still unifies with 
all the atoms in 'Hpos as long as o' does not bind any variable from U. Roughly 
speaking, we apply some (minimal) generalizations to the atoms in 'Hpos so 
that they unify, and then return their most general unifier. 

For this stage, we use well known techniques like variable elimination (jMartelli and Montanari 1982[l 
and generalization (from the algorithm for most specific generalization (jPlotkin 1970p i: 
see Definition |6] below. 

• In a second stage, we look for another substitution g such that 9g is a solution 
for (*). Here, we basically follow a generate and test algorithm (as in the naive 
algorithm above), but it is now much more restricted thanks to 9. 


4-2.1 The Positive Atoms 

Here, we will use the variables from the special set lA to replace disagreement pairs 
(see ( ]Apt 1997] ) p. 27). Roughly speaking, given terms s and t, a subterm s' of s 
and a subterm t' of t form a disagreement pair if the root symbols of s' and t' are 
different, but the symbols from s' up to the root of s and from t' up to the root 
of t are the same. For instance, X,g(a) and b,h{Y) are disagreement pairs of the 
terms f{X,g{b)) and f{g{a),g{h{Y))). A disagreement pair t,t' is called simple if 
one of the terms is a variable that does not occur in the other term and no variable 
of U occurs in t,t'■ We say that the substitution {A/s} is determined by t,t' if 
{A,s} = {t,t'}- 

Basically, given an atom A and a set of atoms 'Hpos, the following algorithm 
nondeterministically computes a substitution 9 such that A9a' still unifies with all 
the atoms in 'Hpos as long as o' does not bind any variable from hi. 

Definition 6 (maximal unifying substitution) 

Input: an atom A and a set of atoms 'Hpos such that Var{{A} U 'Hpos) C\U = {} 
and Atv B ioT all B G Hpos ■ 

Output: a substitution 9. 
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1. Let B := {A} U TLpos- 

2. While simple disagreement pairs occur in B do 

(a) nondeterministically choose a simple disagreement pair X, t (resp. 
t, X) in S such that there is no other simple disagreement pair of 
the form X,t' (or t',X) with t < t' (i.e., a strict instance); 

(b) set B to Brj where rj = {X/t}. 

3. While \B\ 1 do 

(a) nondeterministically choose a disagreement pair t,t' in B; 

(b) replace all disagrement pairs t, t' in 6 by a fresh variable of 14. 

4. Return 9, where B = {B}, A9 = B, and Dom{9) C Var{A). 

We note that the algorithm assumes that the input atom A is always more general 
than the final atom B so that the last step is well defined. An invariant proving 
that this is indeed the case can be found in the online appendix (Appendix B). 

Observe that the step (2a) is nondeterministic since there may exist several 
disagreement pairs X,t (or t,X) for the same variable X. Consider the atom 
A = p{X,Y) and the set 'Hpos = {p( 0 ‘,b),p(Z, Z)}. Then, both {X/a,Y/U} and 
{X/U, Y/b} are maximal unifying substitutions, as the following example illustrates: 

Example 3 

Let A = p{X,Y) dmATLpos = {p{a,b),p{Z, Z)},withS := {p{X,Y),p{a,b),p{Z, Z)}. 
The algorithm then considers the simple disagreement pairs in B. From X, a, we 
get r]i := {X/a} and the action (l2bl) sets B to Brji = {p{a,Y),p{a,b),p{Z, Z)}. 
The substitution r ]2 '■= {Y/b} is determined by Y,b and the action (l2b)) sets B to 
Br ]2 = {p(«, b),p{Z, Z)}. Now, we have two non-deterministic possibilities: 

• If we consider the disagreement pair a, Z, we have a substitution 773 := {Z/a} 
and Action (l2bl) then sets B to Br]z = {p(a, &),p(a, a)}. Now, no simple dis¬ 
agreement pair occurs in B, hence the algorithm jumps to the loop at line[3l 
Action (l3bl) replaces the disagreement pair 6 , a with a fresh variable U G 14, 
hence B is set to {p{a,U)}. As \B\ = 1 the loop at line [3] stops and the 
algorithm returns the substitution {X/a,Y/U}. 

• If we consider the disagreement pair b, Z instead, we have a substitution 
773 := {Z/b}, and Action (l2bl) sets B to Brj'^ = {p{a,b),p{b,b)}. Now, by 
proceeding as in the previous case, the algorithm returns {X/U,Y/b}. 

4-2.2 The Negative Atoms 

Now we deal with the negative atoms by means of the following algorithm which is 
the basis of our implementation of function alt: 

Definition 7 [PosNeg) 

Input: an atom A and two sets of atoms TLpos^ TLneg, the elements of which are 
variable disjoint with A and unify with A, and a set of variables G. 

Output: fail or a substitution Or] (restricted to the variables of A). 
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1. Let 6 be the substitution returned by the algorithm of Definition |6]with input 
A and 'Hpos- 

2. Let r] be an idempotent substitution such that GOrj is ground. 

3. Check that Donn(rj) C Var{A6) and Var(ri) DU = {}, otherwise return fail. 

4. Check that for each H~ G Hneg, ^{AOrj k. H~), otherwise return fail. 

5. Return drj (restricted to the variables of A). 

The correctness of this algorithm is stated as follows: 

Theorem 2 

Let A be an atom and 'Hpos, Hneg be two sets of atoms such that Var{{A}LiHpos U 
Hneg) fMA = {} and Ak, B ior all B G Hpos U Hneg, and a set of variables G. The 
algorithm in Definition 0 always terminates and, if it returns a substitution cr, then 
AafvH a « H') holds and Ga is ground. 

Example 4 

Let A := p{X), Hpos ■= {p(s(F))}, Hneg ■= {p(s(0))}, and G := {X}. The algo¬ 
rithm of Definition ini returns 6 = {X/siY)}. We take rj = {F/s(0)}, it is idempotent 
and G0r] is ground. Dom{ri) C Var{A9) and Var{r]) = {T} does not intersect with 
U. Finally, AOp = p(s(s(0))) does not unify withp(s(0)). The algorithm thus returns 
Or] = {X/s(s(0)), y/s(0)} restricted to the variables of A, i.e., {X/s(s(0))}. 

Example 5 

Let A := p{X), Hpos ■= {p{a),p(b)}, Hneg ■■= {pif{Z))}, and G := {}. The al¬ 
gorithm of Definition El applied to A and Hpos returns 0 = {X/U}. However, we 
cannot find rj such that AOrj does not unify with p{f{Z)) without binding U. The 
algorithm thus returns fail. 

Theorem [2] states the soundness of our procedure for computing function alt. As for 
completeness, we claim that binding an atom A with all possible maximal unifying 
substitutions for A and Hpos does not affect to the existence of a solution to the 
unification problem (*) above (see the online appendix (Appendix B) for more 
details). 


4-3 A Tool for Concolic Testing 

In this section, we present a prototype implementation of the concolic testing 
scheme. The tool, called contest, is publicly available from the following URL 

http://kaz.dsic.upv.es/contest.html 

It consists of approx. 1000 lines of Prolog code and implements the concolic testing 
algorithm of Definition [5] with function alt as described in Section 221 and a maxi¬ 
mum term depth that can be fixed by the user in order to guarantee the termination 
of the process. Moreover, we also introduced a bound for the number of alternatives 
when computing function alt_trace (see Definition 21) ■ Roughly speaking, when the 
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Table 1. Clause coverage analysis results (SICStus Prolog) 


paper 

100% 

paper2 

100% 

nat 

100% 

advisor 

100% 

applast 

100% 

depth 

88% 

regexp 

86% 

relative 

100% 

rotateprune 100% 

transpose 100% 

mult 

100% 

Hanoi 

100% 

automaton 

100% 

qsort 

95% 

inclist 

100% 

doubleflip 100% 

recacctype 100% 

ackermann 100% 

fibonacci 

100% 

preorder 

100% 


number of alternatives is too high, we give up aiming at full choice coverage and 
return sets with only one clause label (which suffice for clause coverage). 

Table [T] shows a summary of the coverage achieved by the test cases automati¬ 
cally generated using contest. The complete benchmarks -including the source code, 
initial goal, input arguments and maximum term depth- can be found in the above 
URL. We used the coverage analysis tool of SICStus Prolog 4.3.1, which basically 
measures the number of times each clause is used. The results are very satisfactory, 
achieving a full coverage in most of the examples. 

The current version is a proof-of-concept implementation and only deals with pure 
Prolog without negation. We plan to extend it to cope with full Prolog. The concrete 
semantics can be extended following (|Strdder et al. 20lT|l , and concolic execution is 
in general a natural extension of the semantics in Figure [2] For relational built-in’s 
or equalities, we should label the execution step with an associated constraint, which 
can then be used to produce alternative execution paths by solving its negation. 
In this context, our tool will be useful not only for test case generation, but also 
to detect program errors during concolic testing (e.g., negated atoms which are 
not instantiated enough, incorrect calls to arithmetic built-in’s, etc). See the online 
appendix (Appendix A) for more details on extending concolic execution to full 
Prolog. 


5 Related Work and Concluding Remarks 


Mera et al. (20091 present a framework unifying unit testing and run-time verifica¬ 
tion for the Ciao system ( |Hermenegildo et al. 20121 ). The ECL^PS® constraint pro¬ 
gramming system dSchimpf and Shen 2012[ ) and SICStus Prolog (|Carlsson and Mildner 2012)l 
both provide tools which run a given goal and compute how often program points 
in the code were executed. SWI-Prolog (IWielemaker et al. 20121) offers a unit test¬ 
ing tool associated to an optional interactive generation of test cases. It also in¬ 
cludes an experimental coverage analysis which runs a given goal and computes 


the percentage of the used clauses and failing clauses. Belli and Jack (19931 and 


Degrave et al. (2008) consider automatic generation of test inputs for strongly typed 

and moded logic programming languages like the Mercury programming language ( [Somogyi et al. 1996 ) 

whereas we only require moding the top-level predicate of the program. 

One of the closest approaches to our work is the test case generation technique by 
(jAlbert et al. 2014| . The main difference, though, is that their technique is based 
solely on traditional symbolic execution. As mentioned before, concolic testing may 
scale better since one can deal with more complex constraints by using data from 
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the concrete component of the concolic state. Another difference is that we aim at 
full path coverage (i.e., choice coverage), and not only a form of statement coverage. 

Another close approach is (IVidal 2015|l . where a concolic execution semantics 
for logic programs is presented. However, this approach only considers a simpler 
statement coverage and, thus, it can be seen as a particular instance of the technique 
in the present paper. Another significant difference is that, in (IVidal 2015^ . concolic 
execution proceeds in a stepwise manner: first, concrete execution produces an 
execution trace, which is then used to drive concolic execution. Although this scheme 
is conceptually simpler, it may give rise to poorer results in practice since one cannot 
use concrete values in symbolic executions, one of the main advantages of concolic 
execution over traditional symbolic execution. Moreover, Vidal (2015) presents no 
formal results nor an implementation of the concolic execution technique. 

Summarizing the paper, we have introduced a novel scheme for concolic testing 
in logic programming. It offers a sound and fully automatic technique for test case 
generation with a good code coverage. We have stated the particular type of unifi¬ 
cation problems that should be solved to produce new test cases. We have proposed 
a correct algorithm for such unification problems. Furthermore, we have developed 
a publicly available proof-of-concept implementation of the concolic testing scheme, 
contest, that shows the usefulness of our approach. To the best of our knowledge, 
this is the first fully automatic testing tool for Prolog that aims at full path coverage 
(here called choice coverage). 

As future work, we plan to extend the scheme to full Prolog (see the remarks 
in Section 14.31) . Another interesting subject for further research is the definition of 
appropriate heuristics to drive concolic testing w.r.t. a given coverage criterion. This 
might have a significant impact on the quality of the test cases when the process is 
incomplete. Finally, from the experimental evaluation, we observed that the results 
could be improved by introducing type information, so that the generated values are 
restricted to the right type. Hence, improving concolic testing with type annotations 
is also a promising line of future work. 
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In this appendix we report, for the sake of completeness, some auxiliary contents 
that, for space limitations, we could not include in the paper. 


Appendix A Towards Extending Concolic Testing to Full Prolog 

In this section, we show a summary of our preliminary research on extending con- 
colic execution to deal with full Prolog. First, we consider the extension of the 
concrete semantics. Here, we mostly follow the linear semantics of (Stroder et al. 
2011), being the main differences that we consider built-ins explicitly, we excluded 
dynamic predicates for simplicity —but could be added along the lines of (Stroder 
et al. 2011)— and that, analogously to what we did in Section [21 only the first 
answer for the initial goal is considered. 

In the following, we let the Boolean function defined return true when its argu¬ 
ment is an atom rooted by a defined predicate symbol, and false otherwise (i.e., a 
built-in). Moreover, for evaluating relational and arithmetic expressions, we assume 
a function eval such that, given an expression e, eval(e) either returns the evalua¬ 
tion of e (typically a number or a Boolean value) or the special constant error when 
the expression is not instantiated enough to be evaluated. E.g., eval(2 -|- 2) = 4, 
eval(3 > 1) = true, but eval(A > 0) = error. 

The transitions rules are shown in Figure [ATI In the following, we briefly explain 
the novelties w.r.t. the rules of Section |2j 

• In rule choice we use the notation c[!/!™] to denote a copy of clause c where 
the occurrences of (possibly labeled) cuts ! at predicate positions (e.g., not 
inside a call), if any, are replaced by a labeled cut !"*, where m is a fresh label. 
Also, in the derived state, we add a scope delimiter ?"*. 

• Rule cut removes some alternatives from the current state, while rule cut_fail 
applies when a goal reaches the scope delimiter without success. 
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• The rules for call and negation should be clear. Let us only mention that the 
notation yl[V/call(V), !/!"*] denotes the atom A in which all variables X on 
predicate positions are replaced by call(X) and all (possibly labeled) cuts on 
predicate positions are replaced by !™. 

• Calls to the built-in predicate is are dealt with rules is and is_error by means 
of the auxiliary function eval. Rules rel and reLerror proceed analogously with 
relational operators like >, <, ==, etc. 

Regarding the concolic execution semantics, we follow a similar approach to that of 
Sectional The labeled transition rules can be seen in Figure |X2j Now, we consider 
six kinds of labels for 

• The labels o and c(£i , £ 2 ) with the same meaning as in the concolic semantics 
of Section [3l 

• The label u{ti,t 2 ), which is used to denote a unification step, i.e., the step 
implies that ti and t 2 should unify. 

• In contrast, the label d{ti,t 2 ) denotes a disunification, i.e., the step implies 
that ti and t 2 should not unify. 


(s 


(true^lS') (success^) 


(failure) 

(choice) 


(backtrack) 


S A ^ 


((fail, 6)5) ^ (fails) ' M(fail, 6 )| 5 ') ^ ( 5 ) 

defined(A) A clauses(A, V) = {ci,, Cn) A n > 0 A m is fresh 
((A, R)s I 5) ^ ((T, I... I (A, I ?r I S) 


, , . „ ... defined(A,P) A clauses(T,P) = {} 

(choice_fail) 


(unfold) 

(cut) 

(call) 

(calLerror) 

(not) 

(unify) 

(is) 

(rel) 


(cut_fail) 


{{A,B)s\S) ^ ((fail,B)s|5) 

_mgu(T, Ri) = a _ 

((T,B)f^»M5)^((Sia,Ba)s.|5) 

((!-,B)s|5'| ?^|5)^(Rs| ?^|S) 
j4 0 V A m is fresh 

{{caU{A), B)s I 5) ^ ((A[V/call(V),!/!-], B)s | ?r | S) 

_ Aev _ 

{{call{A),B)s\S) (errors) 
m is fresh 

((\+(^), B)s I S) ^ ((call(T),!-, fail)s | | ?r | S) 

mgu(fi, f 2 ) = cr / fail 


(?r|S)^ (failsIS) 


{{ti=t2,B)s\S) ^ (Z 3 as<.|S') 
eval(62) = t 2 A error 
((fl is 62, B)s\S) ^ ((fl =f2,B)s| S) 

eval(fi ©f2) = ^ £ {true,fail} 

{{ti © t2,B)s\S) ^ {iA,B)s\ S) 


(unify Tail) 
(is_error) 
(reLerror) 


mgu(fi, f2) = fail 


{{ti =t2,B)s\S) (fails I S') 
eval(e2) = error 
{{ti is e2,B)s\S) (errors) 
eval(fi © f2) = error 
{{ti © t2, B)s I S) ->• (errors) 


Fig. Al. Extended concrete semantics 
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• The label is{X,t) denotes a step where is is evaluated (see below). 

• Finally, the label r{A', A) denotes that the relational expression A' should be 
equal to A G {true, fail}. 

In particular, in rules unify and unify_fail, the labels store the unification that 
must hold in the step. Note that the fact that mgu(fi,t 2 ) = fail does not imply 
mgu(f},f 2 ) = fail since and might be less instantiated than ti and f 2 - 


(success) 

(failure) 

(backtrack) 

(choice) 


(true^ I S ][ true^ | 5') {SUCCESS^ ][ SUCCESS^) 

((fail, 6)5 ][ (fail, BOe) (faiU ][ fail^) 

_ £ _ 

((fail, i?) I 5 I (fail, B') \ S') (S ][ 50 

defined(A) A clauses(A, V) = A n > 0 A m is fresh A clauses(AO "P) = 
({A,B)s\S][ {A',B')o\S') 

I I I I S 


I (A',Bre 


=1 [!/!"*] 




/ ^/-)C„[!/!™] I I 


(choice.fail) 


defined(A,P) A clauses(A,P) = {} A clauses(AOP) = Cf. 

({A, B)s I S I (A', B')g I S') B)s I S I (fail, B')g \ S') 


, _ mgu(T, Hi) = a A mgu{A',Hi) = a' _ 

((A, B) I S ][ (A', B') I S’) ((Bur, Ba),, I 5 ][ (Kur', B'u’)e^, \ S’) 

({\’-,B)s I Si I ?- I S I (!-, B’)e | | ?- | S’) {Bs \ ?- | S ][ B' | ?- | 5') 


(cut.fail) 

(call) 

(calLerror) 

(not) 

(unify) 
(unify _fail) 

(is) 

(is.error) 

(rel) 

(reLerror) 


(?- I 5 I ?- I S’) (fail^ I 5 ][ fails I S’) 

A ^ V A m is fresh 

{icall{A),B)s I S][ {call{A’),B')g \ S’) 

((A[V/call(V),!/n,B)i I ?- I 5][(A'[V/call(V),!/n,t?')e | | S’) 

_A e V_ 

({call{A), B)s I S ][ {call{A’), B’)e \ S’) (errors I error®) 

m is fresh 

((\+(A),B)s | 5 ][ (\+(A'),B')s IS') 

((call(A),!"*,fail)s I Bs I | S ][ (call(A'), !"*, fail)e | B' | ?^ | S') 

mgu(ii, f2) = cr A mgu(f, 4 j) = (j’ 

((4i = 42 , B)s I S I (i'l = B')s I S') ) (B^sa I s I B’u’^^, \ S’) 

mgu(4i,42) = fail 

((ii = 42, B)s I S I ( 4 'i = t’^,B’)g I S') ) (fails I s ][ fail® | S') 

eval(e2) = 42 ^ error A sym_eval(e2) = t’2 A X is fresh 
((41 is 62, B)s I S I ( 4 'i is e’2,B’)B I S') ) (( 4 i = 42, B)s I S I ( 4 'i = X, B')® I S') 

eval(e2) = error 

(( 4 i is e2,B)s I S I ( 4 ',^ is 63, B')® I S') ~>o (errors ][ error®) 

eval( 4 i ©42) = A G {true, fail} A sym_eval( 4 ',^ ©^2) = 
m®t 2 ,B)s\S][(t’,®t’ 2 ,B’)e\S’)^,^A’,A) {{A,B)s \ S][(A',B')® | S') 
eval( 4 i ©42) = error 

(( 4 i © 42 ,B)s I S I ( 4 '^ © t’2,B’)e I S') '^o (errors I error®) 


Fig. A 2. Extended concolic execution semantics 
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In rule is, we label the step with is{X, ^ 2 ) which means that the fresh variable X 
should be bound to the evaluation of t '2 after grounding it. Note that introducing 
such a fresh variable is required to avoid a failure in the subsequent step with 
rule unify because of, e.g., a non-ground arithmetic expression that could not be 
evaluated yet to a value using function sym_eval. Note that rule is_error does not 
include any label since we assume that an error in the concrete computation just 
aborts the execution and also the test case generation process. 

Finally, in rule rel we label the step with r(A', A) where A is the value true/fail 
of the relational expression in the concrete goal, and A' is a (possibly nonground) 
corresponding expression in the symbolic goal. Here, we use the auxiliary function 
sym_eval to simplify the relational expression as much as possible. E.g., sym_eval(3 > 
0) = true but sym_eval(3 -I- 2 > X) = 5 > X. 

These labels can be used for extending the concolic testing algorithm of SectionlH 
For instance, given a concolic execution step labeled with r{X > 0,true), we have 
that solving ^{X > 0) will produce a binding for X (e.g., {X/0}) that will follow 
an alternative path. Here, the concolic testing procedure will integrate a constraint 
solver for producing solutions to negated constraints. We find this extension of the 
concolic testing procedure an interesting topic for future work. 


Appendix B Proofs of Technical Results 
B.l Concolic Execution Semantics 

Proof of Theorem [I] 

Since the base case i = 0 trivially holds, in the following we only consider the 
inductive case i > 0. Let Ci = {Bg | S' ][ | S'). By the inductive hypothesis, we 

have |S| = |S'|, V ^ B, c = c' (if any), and p{Xn)9 ^ p{tn)S. Now, we consider the 
step Ci Ci+i and distinguish the following cases, depending on the applied rule: 

• If the rule applied is success, failure, backtrack or choiceJail, the claim follows triv¬ 
ially by induction. 

• If the rule applied is choice, let us assume that we have B = (A, S'), V = (A',X>') 

and clauses(A, V) = cj, j > 0. Therefore, we have Ct+i = {Bg^ | ... | Bg^ \ S | \ 

... I Vl" I S'), and the claim follows straightforwardly by the induction hypothesis. 

• Finally, if the applied rule is unfold, then we have that Bg = (A,S')^, Vg = 
(A',2?')g for some clause c = Hi -(r- Bi. Therefore, we have Ci+i = {{Bia,B'a)sa \ 
S ][ {Bicr',T>'cr')gcy' \ S'), where mgu(A,iLi) = a and mgu(A',iLi) = a'. First, 
c = c' holds by vacuity since the goals are not labeled with a clause. Also, the 
number of concrete and symbolic goals is trivially the same since |S| = |S'| by 
the inductive hypothesis. Now, by the inductive hypothesis, we have V ^ B and 
thus A' ^ A and V ^ S'. Then, since a = mgu(A, iJi), cr' = mgu(A',iJi), 
Var(iSi ^ Si) n Var(A) = {}, and Var{Hi ^ Si) fl Var(A') = {}, it is easy to see 
that A'cr' ^ Act (and thus Va' ^ B'a) and a' ^ a when restricted to the variables 
ofiJi (and thus Sicr' Sicr). Therefore, we can conclude {Bia',V'a') < (Sicr, S'cr). 
Finally, using a similar argument, we have p{Xn)0a' ^ p{tn)Scr. 

□ 
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B.2 Solving Unifiability Problems 

First, we prove the following invariant which justifies that the algorithm in Defini¬ 
tion m is well dehned. 

Proposition 1 

The following statement is an invariant of the loops at lines [2] and [3] of the algorithm 
in Definition [ 6 j 

(invariant) (a.) A ^ B for all S S S and (b) A < B' for some B' G B. 

Proof 

Let us first consider the loop at line [21 Clearly, the invariant holds upon initializa¬ 
tion. Therefore, let us assume that it holds for some arbitrary set B and we prove 
it also holds for B' = By with r; = {X/t} for some simple disagreement pair X,t 
(or t,X). Let us consider part (a). Since A Ri i? for all B G B, there exist a sub¬ 
stitution 9 such that A9 = B0 for all B G B. Consider such an arbitrary B G B.li 
X ^ Var{B), then part (a) of the invariant holds trivially in B'. Otherwise, d{X/t} 
is clearly a unifier A and B, and it also holds. Consider now part (b). Since A < B' 
for some B' G B, there exists a substitution a such that Aa = B'. Using a similar 
argument as before, either An = B' with B' G B' or Aa{X/t} = B'{X/t} with 
B'{X/t} G B, and part (b) of the invariant also holds in B'. 

Let us now consider the loop at line |31 Clearly, the invariant holds when the 
previous loop terminates. Let t, t' be the selected disagreement pair. Then t, t' 
is replaced in S by a fresh variable U G U, thus obtainining a new set B'. Let 
r]i := {U/t} and r ]2 ■= {U/t'}. Both rji and r ]2 are idempotent substitutions because 
U ^ Var{t) and U ^ Var{t') since U is fresh. Let Bi^ B 2 be the atoms of B where 
t, t' come from and Ci, C 2 be the atoms obtained by replacing t, t' in Bi,B 2 by U. 
Then Bi = Ciyi and B 2 = C' 2 ? 72 - Now, we want to prove that the invariant also 
holds in B' = S \ {Bi, i? 2 } U {Ci, C 2 }. Part (a) is trivial, since we only generalize 
some atoms: if A unify with Bi and B 2 , it will also unify with Ci and C 2 - Regarding 
part (b), we have that A < B' for some B' G B. Clearly, part (b) also holds in B' 
if B' is different from Bi and B 2 . Otherwise, w.l.o.g., assume that B' = Bi and 
A < Bi- Since A k, Bi and A B 2 , and t,t' is a disagreement pair for Ri,i? 2 , 
we have that the subterm of A that corresponds to the position of t, t' should be 
more general than t,t' (otherwise, it would not unify with both terms). Therefore, 
replacing t by a fresh variable U will not change that, and we have ^ < Ci for some 
CiGB. □ 

The following auxiliary results are useful to prove the correctness of the algorithms 
in Definitions [5] and [71 

Lemma 1 

Suppose that A9 = B9 for some atoms A and B and some substitution 6. Then we 
have A9t] = Bydy for any substitution 77 with [Dom{ri) n Var{B)] n Dom{0) = {} 
and Ran{Tj) n Dom{9r]) = {}. 
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Proof 

For any X G Var{B), 

• either X ^ Dom{ri) and then XrjOrj = XOtj 

• or X G Dom{ri) and then X-qOrj = {XrDOrj = Xrj because Ran{rj) n Dom{0rj) = {}. 
Moreover, X ^ Dom{6) because [Dom{ri) n Var{B)] fl Dom{9) = {}, so XOrj = Xr], 
Finally, XrjOr] = X9rj. 

Consequently, Br]9ri = B9 t]. As A9 = B9, we have A9r] = B9r] i.e. A9r] = BT]9r]. 

□ 


Proposition 2 

The loop at line [5] always terminates and the following statement is an invariant of 
this loop. 

(inv) For each A' G {A} U Hpos there exists B £ B and a substitution 9 such that 
A'9 = B9 and Var{B) fl Dom{9) = {}. 


Proof 

Action (I2bl) reduces the number of simple disagreement pairs in B which implies 
termination of the loop at line [2] 

Let us prove that (inv) is an invariant. First, (inv) clearly holds upon initialization 
of B. Suppose it holds prior to an execution of action (I2bll . Therefore, for each 
A! G {A} U T-Lpos there exists B £ B and a substitution 9 such that A'9 = B9 and 
Var{B) n Dom{9) = {}. Let t,t' be the selected simple disagreement pair. Then, 
we consider a substitution rj determined by t,t'- For any X £ Ran{r]), we have 
X £ Var(B). Thus X ^ Dom{9) by (inv). Hence Ran(r/) D Dom(9) = {}. Moreover, 
as t,t' is a simple pair we have Ran(r]) n Dom(r]) = {}. Hence, 

Ran{ri) fl Dom{9r]) = {} . (Bl) 

Since B £ B, we have [Dom{ri) fl Var{B)] n Dom{9) = {}. Consequently, by (jBip 
and Lemma [T] we have 

A'9ri = Br]9r] . 

Now, we want to prove that (inv) holds for Brj, i.e., that for each A' G {A} U Rpos 
there exists Brj £ Bp and a substitution 9' such that A'9' = Bp9' and VariBp) fl 
Dom{9') = {}. We let 9' = 9p, so A'9p = Bp9p holds. Now, suppose by con¬ 
tradiction that Var{Bp) fl Dom{9p) ^ {}, and let X be one of its elements. We 
have X ^ Dom{p) because Ran{p) n Dom{p) = {}, so A G Dom{9). Moreover, 
X ^ Ran{p) by (IBII) so A G Var{B). Therefore, A G Var(B) fl Dom(9) which by 
(inv) gives a contradiction. Consequently, 

Var{Bp) n Dom{9p) = {} 

and the claim follows. □ 
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Proposition 3 

The loop at line [ 3 ] always terminates and the following statement is an invariant of 
this loop. 

(inv') For each A' G {A} U T-Lpos there exists B G B and a substitution 9 such that 
A'9 = B9 and Var{B) fl Dom{9) C ht. 

Proof 

Action (I 3 bl) reduces the number of disagreement pairs in B which implies termina¬ 
tion of the loop at line |31 

Let us prove that (inv') is an invariant. By Proposition [31 (inv) holds upon 
termination of the loop at line [31 hence (inv') holds just before execution of the 
loop at line m Suppose it holds prior to an execution of action (I 3 bl) . so we have 
that, for each A' G {A} U Bpos there exists B G B and a substitution 9 such that 
A'9 = B9 and Var{B) fl Dom{9) C U. Let t,t' be the selected disagreement pair. 
Then t, t' is replaced in S by a fresh variable U GU, thus obtainining a new set 
B' . Let rji := {U/t} and 772 := {U/t'}. Both iji and 772 are idempotent substitutions 
because U ^ Var{t) and U ^ Var{t') since U is fresh. Let Bi, B2 be the atoms of B 
where t, t' come from and Ci, C 2 be the atoms obtained by replacing t, t' in i?i, B 2 
by U. Then Bi = Cipi and B 2 = C 2 r] 2 - Now, we want to prove that (inv') holds 
in B' = B \ {Bi,B2} U {Ci,C2}, i.e., that for each A' G {A} U Hpos there exists 
B G B' and a substitution 9 such that A'9 = B9 and Var(S') fl Dom{9) C U. 

Since (inv') holds in S, we have A'9 = B9. Moreover, A' = A'r/i = A'772 because 
U does not occur in A'. So if i? = Bi then A'rii9 = Ci'qi9 and \i B = B 2 then 
A'7720 = C27720. Consequently, let us set 

• 9' -.= 9 and B' ■= B \i B ^ {Bi, ^2} 

• 9' := r]i9 and B' := Ci if i? = Bi 

• 9' := 7726* and B' := C 2 ii B = i?2. 

Then we have 

A'9' = B'9' . (B 2 ) 

Moreover, Dom{9') C Dom{9) U Dom{r]i) U £>0771(772) i.e. 

Dom{9') C Dom{9) U {U} . (B 3 ) 

As Var(C'i, C2) C Var(i 3 i, B2) U {U} then 
Var(C2,C2) n £>0771(0') C U 

because Var{Bi,B 2 ) fl Dom{9) C Z£ by (inv') and Var{Bi, B 2 ) C { 17 } = {[/} fl 
Dom{9) = {} and {U}r\{U} C U. Moreover, by (inv') we have Var(S)fl(£>0771 ( 0 )U 
{[/}) C so by ® 

Var{B) n Dom{9') C U . 

Hence, Var{B \ {i?i, ^2} U (Ci, C2}) fl Dom{9') C U. With (IB 2|1 this implies that 
upon termination of action (I 3 bl) the invariant (inv') holds because Bi is set to Ci 
and B2 to C2. □ 

The correctness of the algorithm in Definition [ 6 ] is then stated as follows. 
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Theorem 3 

Let A be an atom and ?{pos be a set of atoms such that Var{{A\ U 'Hpos) C\U = {} 
and A Ki B tor all B € TLpos ■ The algorithm in Definition [5] with input A and 
TLpos always terminates and returns a substitution 9 such that AOrj unifies with all 
the atoms of T-lpos for any idempotent substitution 77 with Dom^rj) C Var{A6) and 
Var{r]) C\U = {}. 

Proof 

Proposition [2] and Proposition |3] imply termination of the algorithm. Upon ter¬ 
mination of the loop at line [3] we have \B\ = 1. Let B be the element of B 
with A9 = B. Now, we want to prove that AOrj unifies with all the atoms in 
TLpos for any idempotent substitution rj (i.e., Dom{r]) n Ran{r]) = {}) such that 
Dom{ri) C Var{A6) = Var{B) and Var{ri) C\U = {}. By Proposition [H we have 
that, for all B' G TLpos: there exists a substitution 6' such that B9' = B'9' 
and Var{B) n Dom{9') C U. From all the previous conditions, it follows that 
[Domiri) n Var{B)\ n Dom{9') = {} and Ran{r]) n Dom{9'ri) = {}. Therefore, by 
Lemma [U we have BrjO'rj = B'd'-q. Finally, since A9 = B, we have AdrjO'r] = B'd'-q 
and, thus, AOrj unifies with B'. □ 

Proof of Theorem 

Each step of the algorithm terminates, hence the algorithm terminates. Assume 
that the algorithm returns a substitution a. The set Ga is ground by construction. 
By Theorem [3l we have that Aa = AOrj unifies with all the atoms in TLpos as long 
as 77 is idempotent, Dom{ri) C Var{Ad) and Var{ri)r\U = {}. Finally, the last check 
ensures that Aa does not unify with any atom of TLneg- Cd 

B.2.1 Completeness 

For simplicity, we ignore the groundness constraint in this section. Therefore, we 
now focus on the completeness of the following unification problem: Let A be an 
atom and TLpos, TLneg be sets of atoms such that A « S for all B G TLpos U TLneg- 
Then, we want to find a substitution a such that 

Aa w B for all B G TLpos but -<{Aa k, B') for all B' G TLneg (**) 

We further assume that all atoms are renamed apart. 

Let us first formalize the notion of unifying substitution: 

Definition 8 {unifying substitution) 

Let A be an atom and let S be a set of atoms such that Var{A,B) AlA = {} and 
A K, B for all B G B. We say that cr is a unifying substitution for A w.r.t. B if 
Aa « B for all B G B. 

In particular, we are interested in maximal unifying substitutions computed by the 
algorithm in Definition [ 6 l The relevance of maximal unifying substitutions is that 
variables from U identify where further instantiation would result in a substitu¬ 
tion which is not a unifying substitution anymore. For the remaining positions, we 
basically return their most general unifier. 
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Now, we prove that binding an atom A with a maximal unifying substitution for A 
w.r.t. Tipos does not affect to the existence of a solution to our unification problem 
(**) above. Here, for simplicity, we assume that only most specific solutions are 
considered, where a solution a is called a most specific solution for A and T-Lpos, T~ineg 
if there exists no other solution which is strictly less general than cr. Furthermore, 
we also assume that the atom A has the form p{Xi ,..., X^)- 

Lemma 2 

Let A be an atom and T-Lpos , LLneg be sets of atoms such that A Ki B ioi all B € 
T-Lpos U T-Lneg ■ If there exists a substitution a such that Aa « B for all B G T-Lpos and 
-<{Aa « B) for all B G T-ineg, then there exists a maximal unifying substitution 6 
and a substitution a' such that AQa' k, B for all B G T-Lpos and ^{AOa' k, B) for 
all B G Tineg- 

Proof 

(sketch) Let us consider the stages of the algorithm in Definition [6] with input 
Ttpos (atom A is not needed since it has the form p{Xi ,..., Xn) and, thus, imposes 
no constraint). The first stage just propagates simple disagreement pairs of the 
form X,t or t,X. When X only occurs once, it is easy to see that a is also a 
(most specific) unifying substitution for A w.r.t. Tipos{X/1\. Consider, e.g., that cr 
contains a binding of the form Xi/C\t'] for some i G {1,... ,n} and context C[ ] 
and such that t' corresponds to the same position of X and t in %pos- Depending 
on the terms in the corresponding position of the remaining atoms, we might have 
t' < t OT t < t'. Either case, replacing X hy t will not change the fact that a is still 
a most specific unifying substitution for T-LposiX/t}. 

The step is more subtle when there are several simple disagreement pairs for a 
given variable, e.g., X,ti and X,t 2 (we could generalize it to an arbitrary number 
of pairs, but two are enough to illustrate how to proceed). In this case, if ti < t 2 , 
we choose X, t 2 and the reasoning is analogous to the previous case. However, when 
neither ti < t 2 not t 2 < , the algorithm in Definition [6] is non-deterministic and 

allows us to choose any of them. As before, let us consider that a contains bindings of 
the form XilC\l'fi^ and Xj /C"[ty for some i, j G {!,..., n} and contexts C[ ], C"[ ] 
and such that and ^2 correspond to the same positions of ti and t 2 in Tipos, 
respectively. Here, assuming there are no further constraints from the remaining 
atoms, a most specific unifying substitution might either bind Xi to C[ti\ and leave 
Xj unconstrained (e.g., bound to a fresh variable) or the other way around: bind 
Xi to C\t 2 ] and leave Xj unconstrained. Here, we choose the same alternative as in 
the considered solution cr, say Xi is bound to Therefore, tr is still a unifying 

substitution for A w.r.t. TLposlX/ti}. Note that the new (non-simple) disagreement 
pair ti,t 2 introduced in T-Lpos{X/ti} will be generalized away in the next stage (and 
replaced by a fresh variable from IT). 

Therefore, when the first stage is completed (i.e., step 2 in Definition |6]) , we have 
propagated some terms from one atom to the remaining ones -as in the computation 
of a most general unifier- thus producing a new set TL'p^g such that a is still a (most 
specific) unifying substitution for A w.r.t. Ti'pos- 
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By definition, after this stage, there are no simple disagreement pairs in T-Lpag. 
Then, in the second stage (step 3 in Definition |6]) , we replace every (non-simple) 
disagreement pair ti,t 2 by a fresh variable U from U. Since a was a unifying sub¬ 
stitution for T-L'posj it should have a binding Xi/C\W] for some i S {1,... ,n} and 
context C[ ] and such that W corresponds to the same position of ti and t 2 in 
?{pos, where IT is a variable. Therefore, replacing t, t' by a fresh variable U will not 
change the fact that a is still a unifying substitution for the resulting set (up to 
variable renaming). 

Hence, when the second stage is finished, we have a new set T-Lpog without any 
disagreement pair at all, i.e., T-Lpog = {B} with AO = B. Moreover, since tr is a most 
specific uniyfing substitution for A w.r.t. we have 0 < a \Var{A)]. Therefore, 

there exists a substitution cr' such that Aa = AOa' such that a' is a solution for AO 
and 'Hpos^'Hneg, which concludes the proof. □ 


Appendix C Some More Examples on Solving Unifiability Problems 

Example 6 {maximal unifying substitution) 

Let A = p{X,Y) and Bpos = {pis{a), s{c)),p{s{b), s{c)),p{Z, Z)}. First the algo¬ 
rithm of Definition 11 sets B := {p{X,Y),p{s{a), s{c)),p{s{b), s{c)),p{Z, Z)}, then 
it considers the simple disagreement pairs in B. The substitution rji := {A/s(a)} 
is determined by X, s{a). Action (IZbl) sets B to Bpi i.e. to 

{p(s(a), Y),p{s{a), s{c)),p{s{b), s{c)),p{Z, Z)} . 

The substitution 772 := {Y/s{c)} is determined by F, s(c). Action (l2bl) sets B to 
^02 = {p{s{a),s{c)),p{s{h),s{c)),p{Z,Z)}. The snbstitntion 773 := {Z/s{c)} is de¬ 
termined by Z, s{c). Action ((2bl) sets B to S 773 i.e. to 

{p(s(a), s(c)),p(s(6), s(c)),p(s(c), s(c))} . 

Now no simple disagreement pair occurs in B hence the algorithm skips to the loop 
at lined 

• Action (I 3 bp replaces the disagreement pair a, b with a fresh variable U €U, 
hence B is set to {p(s(C/), s(c)),77(3(0), s(c))}. 

• Action (| 3 b)l replaces the disagreement pair [/, c with a fresh variable U' £ LI, 
hence B is set to { 77 (s(C/'), s(c))}. 

As \B\ = 1 the loop at line d stops and the algorithm returns the substitution 
{X/s{U'),Y/s{c)}. 

Note that there are several non-deterministic possibilities for 771, 772 and 773. For 
instance, if we consider 773 := {Z/s(a)}, which is determined by Z/s{a), then B is 
set to {p(s(a), s(c)),77(3(6), s(c)),77(3(0), s(a))}. The loop at line d finally sets B to 
{77(3(17), 3(17'))}, so the algorithm returns the substitution {X/s{U),Y/s{U')}. 

We note that the set B used by the algorithm of Definition d may contain several 
occurrences of a same, non-simple, disagreement pair. 
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Example 1 [maximal unifying substitution) 

Let A = p{X,Y) and Hpos = {p[a,a),p[b,b)}. First the algorithm sets B := 
{p{X,Y),p{a,a),p{b,b)}. Then the loop at line [2] considers the simple disagree¬ 
ment pairs in B and, for instance, it sets B to {p[a, a),p[b, &)} (it may also set B to 
{p[a^b),p[a,a),p[b,b)} or to {p[b,a),p[a,a),p[b,b)}). As no simple disagreement 
pair now occurs in B, the algorithm jumps at line [S] The pair a, b occurs twice in 
A. Action (I3bll replaces each occurrence with the same variable U €U, so the loop 
at line[3]sets B to {p{U,U)} and the algorithm returns {X/U,Y/U}. 

Example 8 [maximal unifying substitution) 

Let A = p[X,Y) and ?{pos = {p(a,b),p[b,a)}. First the algorithm sets B := 
{p[X,Y),p[a, b),p[b, a)}. Then the loop at line [2] considers the simple disagree¬ 
ment pairs in B and, for instance, it sets B to {p[a, b),p[b, a)} (it may also set B to 
{p[a,a),p[a,b),p[b,a)} or to {p(6, &),p(a, &),p(6, a)}). As no simple disagreement 
pair now occurs in B, the algorithm jumps at line [H The pairs a, b and 6, a occur 
once in A and Action (I3bp replaces them with two different variables U, U' € U. So 
the loop at line[3]sets B to {p[U,U')} and the algorithm returns {X/U,Y/U'}. 


